chore(deps): update dependency storybook to v9.1.19 [security] - autoclosed#871
Closed
renovate[bot] wants to merge 1 commit intomainfrom
Closed
chore(deps): update dependency storybook to v9.1.19 [security] - autoclosed#871renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
bot
force-pushed
the
renovate/npm-storybook-vulnerability
branch
from
f05f169 to
1f4e2cd
Compare
renovate
bot
force-pushed
the
renovate/npm-storybook-vulnerability
branch
from
1f4e2cd to
addd981
Compare
|
renovate
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.1.17→9.1.19GitHub Vulnerability Alerts
CVE-2026-27148
Summary
The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
Details
Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.
If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.
The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).
Note: recent versions of Chrome have some protections against this, but Firefox does not.
Impact
This vulnerability can lead to supply chain compromise. Key risks include:
Affected versions
8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.
Recommended actions
Update to one of the patched versions:
7.6.23,8.6.17,9.1.19,10.2.10.Release Notes
storybookjs/storybook (storybook)
v9.1.19Compare Source
9.1.19
v9.1.18Compare Source
9.1.18
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.